As the attack surface grows, CISOs and IT leaders must take the steps necessary to protect their rapidly expanding networks and increasingly distributed workforce. One effective approach is known as systems or security hardening. In this blog, we define security hardening, explain its importance in cyber defense, and outline some best practices using specific tools and guidelines to effectively reduce risk.
In addition to cybersecurity efforts, Chief Risk Officers (CROs) should also focus on hardening physical security because they are co-dependent. For example, badge readers should be deployed at all office and facility entry points to control physical access and at control points where sensitive information or systems are used or stored. And these all need to be managed centrally. One consistent weak point of many organizations is the lack of speed in offboarding employees who resign or are let go. Immediately disabling cyber privileges, changing passwords, and simultaneously deactivating entry badges and access codes must be a priority. This requires establishing a standardized process for consistent, and rapid, employee offboarding that spans cyber and physical domains.
However, this blog is written specifically for CISOs, so let's focus on cybersecurity. Systems hardening includes everything in an organization’s cyber world: the network, the endpoints, the applications, and the cloud. It also includes development, test, and production environments.
It’s always important to begin any discussion by agreeing on terminology. Different vendors use the term "security hardening" when marketing their niche products. For example, if you're in software orchestration or something similar, you may say that security hardening involves activities calculated to protect applications. Or, if you're in the networking business, security hardening may mean protecting your networking equipment. However, from a CISO or a CIO viewpoint, the term should be viewed more broadly and generically. For this discussion, we’ll define security hardening as simply doing whatever needs to be done to protect the organization’s digital and operational assets.
At its core, cybersecurity is all about hardening the entire connected environment to protect against attacks and intrusions by cyber adversaries and hostile forces. One of the earliest uses of the term "hardening" in this context was related to intercontinental ballistic missile (ICBM) silos. The goal of hardening was to enable these facilities to withstand a direct attack by a nuclear bomb. When you consider the devastating impact a cyberattack can have on an organization, the term "security hardening" is certainly appropriate.
To successfully harden cybersecurity, a CISO needs tools and solutions that can automatically shield as many of the organization’s cyber vulnerabilities as possible. The security hardening process ensures organizations and networks are not exposed to exploits due to a “door being left open.” The critical aspect of this is automation. Isolated devices and security systems that struggle to work as part of a collective system can make automation impossible. So, even a decent network firewall can prevent effective security hardening if it operates in a silo.
Every environment will have differences, both subtle and not so subtle. However, several vulnerabilities tend to be common across many organizations, including:
The first step in security hardening that a CISO and the IT team must take is identifying all vulnerabilities and reducing the organization’s attack surface exposure. Vulnerabilities can range from outdated or vulnerable software and systems to trivial access controls to weaknesses engineered into the design of the network.
And unfortunately, this environment is constantly changing. The attack surface is made up of anything a threat actor can exploit. This includes personal computers and mobile devices directly connected to the corporate network, cloud environments, remote access tools, applications, and databases. Any device or system that is not actively contributing to the security of your environment is a risk that must be understood and addressed. Anything connected to your network, even temporarily, may have vulnerabilities that can be exploited if an attacker can reach them, with potentially serious consequences.
Another area of software concern is the common tactic of exploiting known vulnerabilities. Of course, most software vendors provide patches as soon as vulnerabilities are discovered. But if you don't apply those patches, they do you no good. That’s why the most devastating malware attacks of the past decade have targeted software vulnerabilities for which patches were readily available. CISOs and IT leaders must emphasize good patch management and consistently upgrade or replace software.
Unencrypted databases are another area of vulnerability. Encryption makes it harder for attackers to steal from your organization. For example, none of the personal or corporate information for sale on the dark web today was stored as encrypted data.
In addition to your software and databases, there can be vulnerabilities in hardware and networking devices. Additional risks often arise because these devices are also interconnected through a corporate network. As with software, patch management for hardware is also essential, including updating operating systems, firmware, and BIOS systems. Misconfiguration is another common problem that can lead to exploitation. But because these devices are interconnected, any that become contaminated or compromised can provide a direct avenue to all your other networked assets, including databases and applications.
If we look at hardware vulnerabilities from a network point of view, the endpoint device is especially important. However, it’s not just PCs and mobile devices you need to be concerned about. There are also Internet-of-Things (IoT) devices that need to be secured—both from being attacked and from becoming a tool of attackers. These devices need to be updated where (and if) possible and given different levels of privilege depending on the kind of device they are and the types of users accessing them.
A classic example is the video surveillance camera. Many of these devices have been exploited in the past, most commonly to be used in botnets. CISOs need to make sure that video cameras can't be exploited, are generating only appropriate video traffic, and cannot receive unauthorized commands.
One big challenge is vulnerabilities found in default cloud configurations. For example, databases in many cloud environments, both public and private, often include a default setting that leaves them open to the internet. To successfully harden that database, the default setting must be changed. But DevOps folks who have not been trained in security often overlook issues like this, exposing the organization to significant risk. It’s the kind of vulnerability that CISOs need to be ferreting out and hardening in their environments.
Another common attack vector is phishing or other forms of social engineering to trick users into clicking on malicious links or divulging information that can allow an attacker to gain access to the network. And once in, they escalate user privileges to move through the network to find assets and data to steal, ransom, or misuse. Such vulnerabilities are all part of the attack surface, and security hardening must address them to ensure that the entire attack surface is impenetrable.
A large percentage of cyberattacks succeed due to human error. This means two simultaneously true things: People are your weakest link and your best defense. Your people should be thought of as the shock troops on the front line of your defenses. With proper training, they can protect your organization from the vast majority of attacks.
Below are some guidelines on how your organization can begin hardening your systems against security threats:
With proper training, your staff can better protect your organization. Create a cyber-aware workforce with low-cost or no-cost training. Check out Fortinet’s NSE training, which is available free of charge. You can also augment training with real-life phishing simulations to assess and improve your organization’s readiness.
Whenever possible, automatically having your machines and devices properly protected is ideal. Removing human intervention and establishing strict, automated routines for patching and updating software is a critical step for security hardening an organization. Of course, automation is not always possible in sensitive areas. In those cases, consider proximity or virtual patching by providing an extra layer of security, such as an IPS device specifically assigned to monitor and secure unpatchable systems. Similarly, patching and updating should be made high priorities, so they do not slide down the priority list.
Use password management tools and multi-factor authentication (MFA) to ensure passwords meet essential guidelines. These forms of security hardening will prevent compromised passwords from leading to compromised systems. Services that monitor online forums on the dark web that sell credentials can also help ensure they are updated before they become exploited.
The misconfiguration of devices and applications can create holes in an organization’s cyber defenses. Many cloud breaches have occurred because attackers have found “open or unlocked” backdoors into critical infrastructure. Many vendors sell configuration tools that can help you identify and correct misconfigurations. But the best solution is to automate the configuring of devices to avoid human error.
Security hardening is an active version of good cybersecurity hygiene. Run an inventory of what’s on your network and clean out old and unnecessary items and privileges on your systems. Do the same for individual systems, making sure to remove orphaned or unused accounts and outdated applications.
Know what you've got. After you’ve performed systems audits to find out what applications, hardware, and IoT devices are in your internal environment, do not forget to look outside your organization. And it’s always helpful to get an “outsider’s POV” on your network to audit your systems, identify what's there, and determine who has access to what. For example, a digital risk protection service (DRPS) can provide an outside-the-network view of the risks posed to your enterprise.
CISOs and IT teams should recognize that they don’t have all the answers. Another vital element of security hardening is the establishment of global partnerships and sharing threat intelligence with others who are also in the fight against cybercrime.